wireshark/doc/ciscodump.adoc

370 lines
12 KiB
Plaintext

include::../docbook/attributes.adoc[]
= ciscodump(1)
:doctype: manpage
:stylesheet: ws.css
:linkcss:
:copycss: ../docbook/{stylesheet}
== NAME
ciscodump - Provide interfaces to capture from a remote Cisco device through SSH.
== SYNOPSIS
[manarg]
*ciscodump*
[ *--help* ]
[ *--version* ]
[ *--extcap-interfaces* ]
[ *--extcap-dlts* ]
[ *--extcap-interface*=<interface> ]
[ *--extcap-config* ]
[ *--extcap-capture-filter*=<capture filter> ]
[ *--capture* ]
[ *--fifo*=<path to file or pipe> ]
[ *--remote-host*=<IP address> ]
[ *--remote-port*=<TCP port> ]
[ *--remote-username*=<username> ]
[ *--remote-password*=<password> ]
[ *--remote-filter*=<filter> ]
[ *--sshkey*=<public key path> ]
[ *--remote-interface*=<interface> ]
[ *--remote-count*=<count> ]
[manarg]
*ciscodump*
*--extcap-interfaces*
[manarg]
*ciscodump*
*--extcap-interface*=ciscodump
*--extcap-dlts*
[manarg]
*ciscodump*
*--extcap-interface*=ciscodump
*--extcap-config*
[manarg]
*ciscodump*
*--extcap-interface*=ciscodump
*--fifo*=<path to file or pipe>
*--capture*
*--remote-host*=remotedevice
*--remote-port*=22
*--remote-username*=user
*--remote-interface*=<the device interface>
*--remote-count*=<count>
== DESCRIPTION
*Ciscodump* is an extcap tool that relies on Cisco EPC to allow a user to run a remote capture
on a Cisco device in a SSH connection. It supports IOS, IOS-XE based device and ASA devices.
The tool configures capture on the device, reads data and removes configuration from the device. Provided credentials must allow the tool to configure the device.
When capture is started, packets are provided as they are received from the device. Capture stops when:
* requested count of packets is reached (*--remote-count* is mandatory)
* when capture finishes on the device (e.g. capture buffer is full)
* the capture is stopped by the user
Capture performance depends on a device type. The tool tries to read packets as soon as they received, but is usually slower than capturing device captures packets. Therefore packets are read in batches.
IOS/IOS-XE provides only access to all captured packets from the top. Therefore reading of second batch means to read all packets from first batch, but ignore them and then read new packets in second batch.
ASA provides access to specific packet so tool reads every packet just once.
=== SUPPORTED CISCO SOFTWARE
The application supports IOS version is 12.4 and higher. The IOS version supporting capture feature is 12.4(20)T and higher. More details can be
found here: https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-embedded-packet-capture/datasheet_c78-502727.html
The application supports IOS-XE version 16.1 and higher. Search for "Embedded Packet Capture Configuration Guide, Cisco IOS XE" to get more details.
The application supports ASA version 8.4 and higher. More details can be found here: https://community.cisco.com/t5/security-documents/asa-using-packet-capture-to-troubleshoot-asa-firewall/ta-p/3129889
== OPTIONS
--help::
+
--
Print program arguments.
--
--version::
+
--
Print program version.
--
--extcap-interfaces::
+
--
List available interfaces.
--
--extcap-interface=<interface>::
+
--
Use specified interfaces.
--
--extcap-dlts::
+
--
List DLTs of specified interface.
--
--extcap-config::
+
--
List configuration options of specified interface.
--
--capture::
+
--
Start capturing from specified interface and save it in place specified by --fifo.
--
--fifo=<path to file or pipe>::
+
--
Save captured packet to file or send it through pipe.
--
--remote-host=<remote host>::
+
--
The address of the remote host for capture.
--
--remote-port=<remote port>::
+
--
The SSH port of the remote host.
--
--remote-username=<username>::
+
--
The username for ssh authentication.
--
--remote-password=<password>::
+
--
The password to use (if not ssh-agent and pubkey are used). WARNING: the
passwords are stored in plaintext and visible to all users on this system. It is
recommended to use keyfiles with a SSH agent.
--
--remote-filter=<filter>::
+
--
The remote filter on the device. This is a capture filter that follows the Cisco
standards.
For IOS/IOS-XE see https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html.
For ASA see https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/access-acls.html.
Multiple filters can be specified using a comma between them. BEWARE: when using
a filter, the default behavior is to drop all the packets except the ones that
fall into the filter.
Examples for IOS/IOS-XE:
permit ip host MYHOST any, permit ip any host MYHOST (capture the traffic for MYHOST)
deny ip host MYHOST any, deny ip any host MYHOST, permit ip any any (capture all the traffic except MYHOST)
Examples for ASA:
permit any4 host MYHOST, permit host MYHOST any4 (capture IPv4 traffic for MYHOST)
NOTE: Different capture types support or do not support specific ACL keywords. The tool is not able to check it, just tries to configure it. If error occurs, the tool just reports it and terminates. Debris are left in configuration in this case.
--
--sshkey=<SSH private key path>::
+
--
The path to a private key for authentication.
--
--remote-interface=<remote interface>::
+
--
The remote network interface to capture from. One interface or list of interface names can be used. Interfaces are separated by comma. Interface names must be supported by the device.
There are interface names causing different capture types. They are specific to used Cisco software.
*IOS special names*
* `process-switched` - capture process switched packets in both directions
* `from-us` - capture process switched packets originating at the device
*IOS-XE special names*
* `control-plane` - captures in/out packets touching control plane
*ASA special names*
* `asp-drop` - capture packets dropped by all asp categories
* `TYPE---ifname` - syntax to refer ASA capture types, see https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/ca-cld-commands.html#wp2435483314
** `isakmp---ifname` - capture isakmp packets
** `lacp---ifname` - capture lacp packets (just physical interfaces are supported)
** `tls-proxy---ifname` - capture tls-proxy packets
** `inline-tag---ifname` - capture all SGT tagged packets
** `raw-data---ifname` - same as `ifname`
* syntax to capture decrypted traffic for some of capture types:
** `isakmp/decrypted---ifname` - capture isakmp packets including decrypted payload
** `tls-proxy/decrypted---ifname` - capture tls-proxy packets including decrypted payload
** `inline-tag/decrypted---ifname` - capture inline-tag packets including decrypted payload
** `raw-data/decrypted---ifname` - capture raw-data packets including decrypted payload
Use e. g. `isakmp/decrypted---outside` to capture encrypted and decrypted isakmp traffic on `outside` interface.
--
--remote-count=<count>::
+
--
Count of packets to capture. Capture is stopped when count is reached.
--
--extcap-capture-filter=<capture filter>::
+
--
Unused (compatibility only).
--
== EXAMPLES
To see program arguments:
ciscodump --help
To see program version:
ciscodump --version
To see interfaces:
ciscodump --extcap-interfaces
Only one interface (ciscodump) is supported.
.Example output
interface {value=ciscodump}{display=SSH remote capture}
To see interface DLTs:
ciscodump --extcap-interface=ciscodump --extcap-dlts
.Example output
dlt {number=147}{name=ciscodump}{display=Remote capture dependent DLT}
To see interface configuration options:
ciscodump --extcap-interface=ciscodump --extcap-config
.Example output
ciscodump --extcap-interface=ciscodump --extcap-config
arg {number=0}{call=--remote-host}{display=Remote SSH server address}
{type=string}{tooltip=The remote SSH host. It can be both an IP address or a hostname}
{required=true}{group=Server}
arg {number=1}{call=--remote-port}{display=Remote SSH server port}
{type=unsigned}{default=22}{tooltip=The remote SSH host port (1-65535)}
{range=1,65535}{group=Server}
arg {number=2}{call=--remote-username}{display=Remote SSH server username}
{type=string}{default=<current user>}{tooltip=The remote SSH username. If not provided, the current user will be used}
{group=Authentication}
arg {number=3}{call=--remote-password}{display=Remote SSH server password}
{type=password}{tooltip=The SSH password, used when other methods (SSH agent or key files) are unavailable.}
{group=Authentication}
arg {number=4}{call=--sshkey}{display=Path to SSH private key}
{type=fileselect}{tooltip=The path on the local filesystem of the private ssh key}
{group=Authentication}
arg {number=5}{call=--proxycommand}{display=ProxyCommand}
{type=string}{tooltip=The command to use as proxy for the SSH connection}{group=Authentication}
arg {number=6}{call--sshkey-passphrase}{display=SSH key passphrase}
{type=password}{tooltip=Passphrase to unlock the SSH private key}{group=Authentication
arg {number=7}{call=--remote-interface}{display=Remote interface}
{type=string}{tooltip=The remote network interface used for capture}
{required=true}{group=Capture}
arg {number=8}{call=--remote-filter}{display=Remote capture filter}
{type=string}{tooltip=The remote capture filter}{default=<filter to exclude current host>}
{group=Capture}
arg {number=9}{call=--remote-count}{display=Packets to capture}
{type=unsigned}{tooltip=The number of remote packets to capture.}
{required=true}{group=Capture}
arg {number=10}{call=--debug}{display=Run in debug mode}
{type=boolflag}{default=false}{tooltip=Print debug messages}
{required=false}{group=Debug}
arg {number=11}{call=--debug-file}{display=Use a file for debug}
{type=string}{tooltip=Set a file where the debug messages are written}
{required=false}{group=Debug}
To capture on IOS/IOS-XE:
ciscodump --extcap-interface ciscodump --fifo=/tmp/cisco.pcap --capture --remote-host 192.168.1.10
--remote-username user --remote-interface gigabit0/0,gigiabit0/1
--remote-filter "permit ip host 192.168.1.1 any, permit ip any host 192.168.1.1"
--remote-count=10
To capture on IOS/IOS-XE:
ciscodump --extcap-interface ciscodump --fifo=/tmp/cisco.pcap --capture --remote-host 192.168.1.10
--remote-username user --remote-interface outside,dmz
--remote-filter "permit host 192.168.1.1 any4, permit any4 host 192.168.1.1"
--remote-count=10
ciscodump --extcap-interface ciscodump --fifo=/tmp/cisco.pcap --capture --remote-host 192.168.1.10
--remote-username user --remote-interface raw-data/decrypted---outside
--remote-filter "permit host 192.168.1.1 any4, permit any4 host 192.168.1.1"
== KNOWN ISSUES
When capture stopped by the user before it finishes on Windows platform, configuration is not cleared on the device. Next run will probably fails because parts of configuration already exists on the device.
Reading performance on IOS/IOS-XE is poor because re-reading of capture buffer over and over.
The configuration of the capture on the device is a multi-step process. If the SSH connection is interrupted during
it, the configuration can be in an inconsistent state. That can happen also if the capture is stopped and ciscodump
can't clean the configuration up. In this case it is necessary to log into the device and manually clean the
configuration, removing configuration elements:
* IOS
** capture points WSC_P_<number> (depends on count of capture interfaces)
** the capture buffer WSC_B
** the capture capture acl WSC_ACL (if filter was used)
* IOS-XE
** the capture WSC
** the capture capture acl WSC_ACL (if filter was used)
* ASA
** the capture WSC
** the capture capture acl WSC_ACL (if filter was used)
On IOS platforms, only IPv4 commands issued and only IPv4 packets are captured.
== SEE ALSO
xref:wireshark.html[wireshark](1), xref:tshark.html[tshark](1), xref:dumpcap.html[dumpcap](1), xref:extcap.html[extcap](4), xref:sshdump.html[sshdump](1)
== NOTES
*ciscodump* is part of the *Wireshark* distribution. The latest version
of *Wireshark* can be found at https://www.wireshark.org.
HTML versions of the Wireshark project man pages are available at
https://www.wireshark.org/docs/man-pages.
== AUTHORS
.Original Author
[%hardbreaks]
Dario Lombardo <lomato[AT]gmail.com>